Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




Linux Systems Admin
1122 posts

Uber Geek

Trusted
Integrity Tech Solutions
Subscriber

# 236175 21-May-2018 21:08
Send private message

Simply enabling the IPV6 package (disabled by default) causes the router to not be able to connect to the internet. PPPoE connect attempts fail with no useful information in the log.

 

Has someone else seen this weird issue before?





Integrity Tech Solutions @ Norsewood, New Zealand


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
5574 posts

Uber Geek


  # 2020081 21-May-2018 21:13
Send private message

Not seen that, however, /system logging (and assuming winbox/webfig) add a new log type with no topics selected, and action memory. That should enable more info in the log to troubleshoot. Delete or disable that rule though when finished or it will overrun the log very quickly.




Linux Systems Admin
1122 posts

Uber Geek

Trusted
Integrity Tech Solutions
Subscriber

  # 2020090 21-May-2018 21:40
Send private message

For equally unknown reasons it has now decided to work as far as connecting. But I still don't have working IPV6.

 

The 'howtos' I have found so far indicate the way to do this with Mikrotik is to run a DHCPv6 client on the WAN interface. This does not appear to be working either showing status of "searching". Additionally, none of the advice topology I have found refloects how things are done here, leaving me to fill in the blanks.

 

Should this client run on vlan 10 or the pppoe interface?

 

Is the advice wrong and there is another way?

 

What I have done so far:

 

ipv6 / dhcpv6-client

 

interface = dialer0 (pppoe interface)

 

request = prefix

 

pool name = ipv6-pool

 

add default route = yes





Integrity Tech Solutions @ Norsewood, New Zealand


 
 
 
 


189 posts

Master Geek


  # 2020488 22-May-2018 16:17
Send private message

I've had no trouble running IPv6 on PPPoE on VLAN 10.

 

 

 

The DHCP Client should be listening on the interface where you get your IPv4 public IP - so if you're using PPPoE, it should be on the PPPoE interface.

 

 

 

I've never had the IPv6 module break IPv4. If you have a default-deny policy on your ipv6 firewall (as you should..) you'll need to allow DHCPv6

 

 

 

Which ISP are you with?




Linux Systems Admin
1122 posts

Uber Geek

Trusted
Integrity Tech Solutions
Subscriber

  # 2020489 22-May-2018 16:19
Send private message

MattR:

 

The DHCP Client should be listening on the interface where you get your IPv4 public IP - so if you're using PPPoE, it should be on the PPPoE interface.

 

 

 

I've never had the IPv6 module break IPv4. If you have a default-deny policy on your ipv6 firewall (as you should..) you'll need to allow DHCPv6

 

 

 

Which ISP are you with?

 

 

So my config should be "correct" then... I am with InspireNet.

 

The IPV6 module thing was weird. It appeared to break it but next time it worked... No explanation.





Integrity Tech Solutions @ Norsewood, New Zealand


189 posts

Master Geek


  # 2020494 22-May-2018 16:58
Send private message

I'm on 2degrees, so I'm just guessing here.

 

 

 

In the DHCPv6 Client config, which requests do you have? Try "prefix" only - not info or address.

 

 

 

Edit: I see you've already got that..




Linux Systems Admin
1122 posts

Uber Geek

Trusted
Integrity Tech Solutions
Subscriber

  # 2020495 22-May-2018 16:59
Send private message

MattR:

 

In the DHCPv6 Client config, which requests do you have? Try "prefix" only - not info or address.

 

 

That's what I have, thanks.

 

As follows:

 

ipv6 / dhcpv6-client

 

interface = dialer0 (pppoe interface)

 

request = prefix

 

pool name = ipv6-pool

 

add default route = yes





Integrity Tech Solutions @ Norsewood, New Zealand


189 posts

Master Geek


  # 2020516 22-May-2018 17:33
Send private message

Inspire's IPv6 page says you need to email them to get it enabled, I assume you've done that?

 

 

 

Are you firewalling icmp6 and/or udp/546?

 

 

 

Can't think of any other reason why it wouldn't work.

 

 


 
 
 
 




Linux Systems Admin
1122 posts

Uber Geek

Trusted
Integrity Tech Solutions
Subscriber

  # 2020522 22-May-2018 17:42
Send private message

MattR:

 

Inspire's IPv6 page says you need to email them to get it enabled, I assume you've done that?

 

Are you firewalling icmp6 and/or udp/546?

 

 

I was alocated a /56 at the time of setting up the account.

 

I don't see anything mentioned under IP / Firewall or IPV6 / Firewall.

 

But it doesn't say what the default is and I am not yet familiar enough with Mikrotik.

 

Is this something which needs to be explicitly set?





Integrity Tech Solutions @ Norsewood, New Zealand


189 posts

Master Geek


  # 2020535 22-May-2018 18:10
Send private message

default is allow, so you'll want to configure some rules. Leaving it open to the world is a very bad idea. Do IPv4 right now - there are multiple exploits that target the management interface of the Mikrotik unless it's a very recent OS version.




Linux Systems Admin
1122 posts

Uber Geek

Trusted
Integrity Tech Solutions
Subscriber

  # 2020578 22-May-2018 18:59
Send private message

MattR:

 

default is allow, so you'll want to configure some rules. Leaving it open to the world is a very bad idea. Do IPv4 right now - there are multiple exploits that target the management interface of the Mikrotik unless it's a very recent OS version.

 

 

I have already restricted access to the management interface and it's the latest O/S. But good advice thanks.





Integrity Tech Solutions @ Norsewood, New Zealand


3403 posts

Uber Geek

Trusted

  # 2020742 22-May-2018 21:25
One person supports this post
Send private message

If you ask mikrotik support "It will be fixed in ROS 7"





Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here






Linux Systems Admin
1122 posts

Uber Geek

Trusted
Integrity Tech Solutions
Subscriber

  # 2021121 23-May-2018 13:05
Send private message

Inspire have fixed the issue (configuration problem at their end) and I now have IPV6 (yay!), however, all my DMZ IPV4 traffic is now showing at the remote end as originating from the WAN IP address and not the host's statically assigned publicly-routable IPV4 address.

 

I have covered the obvious bases - checked the host has it's correct IPV4 address configured. Check.

 

Plugged my Cisco back in and the problem is fixed so it's definately at my end.

 

It appears what is happening is the Mikrotik is NATing IPV4 even though it doesn't need to NAT hosts in the DMZ vlan.

 

Whether this is a consequence of enabling IPV6 or something I have just noticed, I don't know. I have only had the Mikrotik for about a week. I disabled IPV6 by stopping the DHCPv6 client and the issue persisisted.

 

Can anyone here shed some light on what is happening please? I will continue to Google for a resolution.

 

In Cisco terminology, I assume what's needed is to specify an internal interface for "nat inside".





Integrity Tech Solutions @ Norsewood, New Zealand


2325 posts

Uber Geek

Lifetime subscriber

  # 2021141 23-May-2018 13:23
One person supports this post
Send private message

You need to look at any masquerade/srcnat rules and apply to a specific source address only (rather than all).




Linux Systems Admin
1122 posts

Uber Geek

Trusted
Integrity Tech Solutions
Subscriber

  # 2021147 23-May-2018 13:38
Send private message

Spyware:

 

You need to look at any masquerade/srcnat rules and apply to a specific source address only (rather than all).

 

 

Thanks for that. All fixed now.

 

I have learned a new some new Mikrotik stuff today. :-)





Integrity Tech Solutions @ Norsewood, New Zealand


6966 posts

Uber Geek

Trusted
Subscriber

  # 2021153 23-May-2018 13:56
One person supports this post
Send private message

You should put a srcnat accept rule before the srcnat masqerade rule that filters the specific addresses in the firewall nat

 

Cyril


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Microsoft New Zealand Partner Awards results
Posted 18-Oct-2019 10:18


Logitech introduces new Made for Google keyboard and mouse devices
Posted 16-Oct-2019 13:36


MATTR launches to accelerate decentralised identity
Posted 16-Oct-2019 10:28


Vodafone X-Squad powers up for customers
Posted 16-Oct-2019 08:15


D Link ANZ launches EXO Smart Mesh Wi Fi Routers with McAfee protection
Posted 15-Oct-2019 11:31


Major Japanese retailer partners with smart New Zealand technology IMAGR
Posted 14-Oct-2019 10:29


Ola pioneers one-time passcode feature to fight rideshare fraud
Posted 14-Oct-2019 10:24


Spark Sport new home of NZC matches from 2020
Posted 10-Oct-2019 09:59


Meet Nola, Noel Leeming's new digital employee
Posted 4-Oct-2019 08:07


Registrations for Sprout Accelerator open for 2020 season
Posted 4-Oct-2019 08:02


Teletrac Navman welcomes AI tech leader Jens Meggers as new President
Posted 4-Oct-2019 07:41


Vodafone makes voice of 4G (VoLTE) official
Posted 4-Oct-2019 07:36


2degrees Reaches Milestone of 100,000 Broadband Customers
Posted 1-Oct-2019 09:17


Nokia 1 Plus available in New Zealand from 2nd October
Posted 30-Sep-2019 17:46


Ola integrates Apple Pay as payment method in New Zealand
Posted 25-Sep-2019 09:51



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.